Best practice rules for OCI Kubernetes Engine
- Avoid Wildcard Use in Roles and ClusterRoles
Ensure that wildcard use is avoided in Roles and ClusterRoles.
- Check for CNI Plugin Version
Ensure the CNI plugin utilized by the OKE cluster supports network policies.
- Check for Kubelet Configuration File Ownership
Ensure that the Kubelet configuration file ownership is set to "root:root".
- Check for Kubelet Configuration File Permissions
Ensure that the kubelet configuration file has permissions set to 644.
- Check for Streaming Connection Idle Timeout
Ensure that the "streamingConnectionIdleTimeout" parameter is not set to 0 (zero).
- Check for kubelet-config.json File Ownership
Ensure that the kubelet-config.json file ownership is set to "root:root".
- Check for kubelet-config.json File Permissions
Ensure that the kubelet-config.json file has permissions set to 644.
- Disable Anonymous Requests to Kubelet Server
Ensure that anonymous requests to the Kubelet server are disabled.
- Disable Kubelet Read-Only Port
Ensure that the Kubelet read-only port is disabled.
- Disable Kubernetes API Public Endpoint
Ensure that public access to the Kubernetes API is disabled (allow access via private endpoints only).
- Enable Authentication Using SSL/TLS Certificates
Ensure that Kubelet authentication using SSL/TLS certificates is enabled.
- Enable Capturing Security-Relevant Events Without Restriction
Ensure that Kubernetes is configured to capture security-relevant events without restriction.
- Enable Explicit Authorization
Ensure that the Kubelet server authorization mode is not set to "AlwaysAllow".
- Enable HTTPS for Kubelet Servers
Ensure that Kubelet servers are configured to serve only HTTPS traffic.
- Enable Kubelet Client Certificate Rotation
Ensure that Kubelet client certificates are automatically rotated by setting the "rotateCertificates" parameter to true.
- Enable Kubelet Server Certificate Rotation
Ensure that Kubelet server certificates are automatically rotated.
- Enable Kubelet to Manage IPtables
Ensure that Kubelet is allowed to manage iptables.
- Enable Support for Network Policy
OKE clusters should be configured with network policy support to enforce proper segmentation and secure communications.
- Limit Default Service Account Usage
Avoid using default service accounts for your OCI Kubernetes Engine (OKE) clusters.
- Minimize Admission of Containers Sharing the Host IPC Namespace
Ensure that containers are not permitted to run with the "hostIPC" flag set to true.
- Minimize Admission of Containers Sharing the Host Network Namespace
Ensure that containers are not permitted to run with the "hostNetwork" flag set to true.
- Minimize Admission of Containers Sharing the Host Process ID Namespace
Ensure that containers are not permitted to run with the "hostPID" flag set to true.
- Minimize Admission of Privileged Containers
Ensure that containers are not permitted to run with the "securityContext.privileged" flag set to true.
- Prevent Privilege Escalation
Ensure that containers are not permitted to run with the "allowPrivilegeEscalation" flag set to true.
- Restrict "cluster-admin" Role Usage
Ensure that the use of the "cluster-admin" role is restricted across your OKE clusters.
- Restrict Access to Secrets
Ensure that access to secrets is restricted across your OKE clusters.
- Restrict Access to the Kubernetes Control Plane
Ensure the access to the Kubernetes control plane endpoint is restricted.
- Restrict Service Account Token Mounting
Ensure the service account tokens are only mounted where strictly necessary.
- Restrict the Ability to Create Pods
Ensure that only authorized personnel can create pods.
- Use Dedicated Service Accounts
Ensure that dedicated service accounts are used for OCI Kubernetes Engine (OKE) clusters.
- Use Network Policies
Use network policies to control traffic within your OKE cluster network.
- Use Non-Default Namespaces
Ensure the default Kubernetes namespace is not used.
- Use Private Nodes
Enable private nodes for OCI Kubernetes Engine (OKE) clusters.
- Use Secrets as Files Instead of Environment Variables
Ensure that secrets are mounted as files, not environment variables.